Pango Platform
HomeConsole
  • What is Pango Developer Platform
  • Getting started
    • Sign up on the Management Console
    • Create a new project
    • Switch projects
    • Change console settings
    • Edit your profile
    • Try out the demo app
    • Keep exploring
    • Deprecation and Sunset
  • Console details
    • Dashboard
      • General
      • Location loading
    • Users
      • User page
    • Active sessions
    • Network
      • Countries
      • Locations
      • Pools
        • Optimal location
        • Location rules
    • Settings
      • General
        • Project config description (JSON format)
          • Server selector (JSON format)
          • Request selector (JSON format)
      • Authentication methods
        • Auth Plugin requirements
      • VPN
        • General
        • VPN Bypass list
        • Client Networks
      • Member
    • Export Data
    • Log
  • SDK
    • Unified VPN SDK for Android
      • Setup
        • Application Setup
        • Proguard Rules, Notification, and Analytics Configurations
        • Backend URL Configuration
      • Usage
        • Initialization
        • VPN Interface
        • Backend interface
      • Features
        • Hydra Protocol
          • Location profile (Hydra only)
        • Custom sdk dependencies
        • Deferred VPN Service Initialization
        • Authentication
        • Client Network List (CNL)
        • OpenVPN transport
        • Wireguard Transport
        • Reconnection strategy
        • Single Protocol SDK
        • Killswitch
        • Domain route via VPN
        • Process route via VPN
        • Process Bypass
        • Domain Bypass
        • Traffic rules
        • VPN Node DNS Configuration
        • Multihop
          • Optimal Location
      • Exceptions
      • Version migration
      • Changelog
    • Unified VPN SDK for Apple
      • Setup
        • Application Setup
        • Network Extension Setup
          • Network Extension Setup for tvOS
        • Backend URL Configuration
      • Usage
        • Single Protocol SDK
        • Unified SDK
        • Logging
        • Decoding Encoded VPN SDK Logs
      • Features
        • Deferred VPN Service Initialization
        • Authentication
        • Wireguard Transport
        • Reconnection strategy
        • Killswitch
        • Domain Bypass
        • Multihop
          • Optimal Location
        • Client Network List (CNL)
        • Domain route via VPN
      • Changelog
      • API Reference
    • IPSEC VPN SDK for Apple
    • Unified VPN SDK for Windows
      • Setup
        • Backend URL Configuration
        • Service command line arguments
        • ARM Platform Support
      • Usage
        • CoreAPI
        • Events
        • Generating a Unique Device Identifier
        • Error processing
        • Pipe Messaging
      • Features
        • Traffic protection
          • Killswitch
          • Prevent IP Leaks
          • Block Local Networks
        • Other
          • Firewall
            • DNS Monitor
            • Process Bypass
            • Domain Bypass
            • Process route via VPN
            • Domain route via VPN
          • Throttling
          • Optimal Location
          • Common issues
        • Hydra Protocol
          • CustomDNS, UserDNS, MultiHop, VpnProfiles
        • OpenVPN Protocol
        • Wireguard Protocol
        • IPSec Protocol
      • Collecting Debug Logs
      • Changelog
    • Unified VPN SDK for Routers
      • SDK. Shared library.
      • Configuration Interface (CI)
        • Unix Domain Sockets CI
        • REST API CI
    • Unified VPN SDK Feature Comparison By Platform
    • Unified VPN SDK
      • Features
        • Personal Bridge
    • Tunnel Vision and Tunnel Crack Prevention
  • REST API
    • Partner API
  • Sample applications
    • Unified VPN SDK demo for Windows
    • Hydra VPN SDK demo for iOS
    • IPSEC VPN SDK demo for iOS
    • Unified VPN SDK demo for Android
    • Hydra VPN SDK demo for OpenWRT
    • OpenVPN configuration file
  • Resources
    • Use cases
      • Public VPN
      • Business VPN
        • Creating a Business VPN Project
        • Wi-Fi Security for Business
      • Application anti-blocking
    • How-to
      • Create a Firebase project for User Authentication
      • AWS CloudFront Distribution of the Platform URL
      • How can I get Shared Secret key from iTunes Connect for In-App Purchase
  • FAQ
    • General
      • VPN Platform Flow
      • What data is collected by the Platform?
      • What analytic data is collected by your SDK?
      • How the Platform restricts access to our data?
      • Why DNS Leak tests often indicate positive result?
      • Do we need to perform endpoint health checks?
      • How is the VPN exit node found?
      • How are streams re-marked if VPN is enabled/disabled on an active flow?
      • Is there a maximum number of supported devices?
      • Are both IPv4 and IPv6 supported?
      • What is the MTU of the tunnel?
      • Are any redundancy measures in terms of reliability provided?
      • Is there any load balancing?
      • Do you block broadcast and multicast to/from the VPN?
    • List of Open Source libs
Powered by GitBook
On this page
  • How it works
  • Updating Bypass Domain
  • Explicitly Updating Bypass Domain
  • Use Cases

Was this helpful?

  1. SDK
  2. Unified VPN SDK for Windows
  3. Features
  4. Other
  5. Firewall

Domain Bypass

PreviousProcess BypassNextProcess route via VPN

Last updated 1 month ago

Was this helpful?

Domain bypass allows specified domains to be routed outside the encrypted VPN tunnel, directly through the regular internet connection. This can be beneficial in scenarios where certain traffic doesn't need to or shouldn't be sent through the VPN for performance, compatibility, or security reasons.

When domain bypass is configured, the VPN client checks each outgoing network request against a list of excluded domains. If the target domain matches an entry in the bypass list, the request is routed through the device's regular network interface and internet connection. If there's no match, the request is sent through the encrypted VPN tunnel as normal.

How it works

Domain can be assigned to more than one DNS record and there is no way to take all addresses even for one domain name. For example, google uses a lot of CDN servers and when you open google.com with and without VPN traffic will go to different servers.

All requests to unknown resources start with domain resolving and SDK handles those DNS responses and if domain is in bypass list then SDK creates routes for addresses immediately.

SDK doesn't store any data about visited sites by user.

Domain bypass will not work if user uses any DNS protection methods like DNS-over-TLS. There is no way to resolve all IP addresses even for one domain.

Additional info about common issues can be found on the page .

Updating Bypass Domain

To update the bypass domain list programmatically, you can utilize the following:

Using "ConfigureFirewallAsync" will create the necessary bypass rules only after the VPN tunnel is up. If you want to explicitly apply domain bypass immediately after sending to the SDK - use "ConfigureBypassDomains/ConfigureBypassDomainsAsync".

var sdk = new SDK();
var request = new FirewallRequest
{
    UpdateBypassDomains = new UpdateBypassDomainsRequest
    {
        Domains = new List<string> { "domain1.com", "domain2.net", "domain3.org" },
    },
};

var result = await sdk.ConfigureFirewallAsync(request).ConfigureAwait(false);
Console.WriteLine(result.UpdateBypassDomains);
// Message: "Ok"
// Result: Ok

In this example, by setting its Domains property to a list of domain names, those domains will be routed outside the VPN tunnel whenever they are accessed.

Explicitly Updating Bypass Domain

var sdk = new SDK();
var request = new BypassDomainsRequest()
{
    UpdateBypassDomains = new UpdateBypassDomainsRequest()
    {
        Domains = new List<string> { "domain1.com", "domain2.net", "domain3.org" },
    },
};

var result = await sdk.ConfigureBypassDomainsAsync(request).ConfigureAwait(false);
Console.WriteLine(result.UpdateBypassDomains);
// Message: "Ok"
// Result: Ok    

Use Cases

There are several common scenarios where bypassing the VPN for certain domains can be advantageous:

Use Case
Description

Accessing Local Network Resources

If the VPN client is used on a device connected to a local network, accessing local network shares, printers, or intranet sites through the VPN may be unnecessary and could negatively impact performance. Bypassing the VPN for local domains keeps that traffic routing efficiently on the LAN.

Streaming Geo-Restricted Media

Some streaming platforms restrict content to certain geographic regions based on the user's IP address. When connected to a VPN, this can prevent the user from accessing media available in their actual physical location. Configuring a bypass for domains like netflix.com allows the user to stream content as if they weren't using a VPN.

Reducing VPN Server Load

If an organization has a large number of devices connected to a VPN but only actually needs to secure a subset of their traffic, using domain bypass for non-sensitive domains can significantly reduce the bandwidth and processing burden on the VPN server infrastructure.

Improving Traffic Visibility

In some cases, organizations may want certain traffic bypassing the VPN specifically so they can monitor and filter it using other network security tools that aren't VPN-aware. This allows them to enforce web content policies, detect malware, and log activity even for traffic that doesn't need VPN encryption.

Common issues